aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit.c434
-rw-r--r--kernel/auditfilter.c54
-rw-r--r--kernel/auditsc.c349
-rw-r--r--kernel/sysctl.c11
4 files changed, 467 insertions, 381 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 801c946dd24b..c8555b180213 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,10 +66,11 @@
66 * (Initialization happens after skb_init is called.) */ 66 * (Initialization happens after skb_init is called.) */
67static int audit_initialized; 67static int audit_initialized;
68 68
69/* 0 - no auditing 69#define AUDIT_OFF 0
70 * 1 - auditing enabled 70#define AUDIT_ON 1
71 * 2 - auditing enabled and configuration is locked/unchangeable. */ 71#define AUDIT_LOCKED 2
72int audit_enabled; 72int audit_enabled;
73int audit_ever_enabled;
73 74
74/* Default state when kernel boots without any parameters. */ 75/* Default state when kernel boots without any parameters. */
75static int audit_default; 76static int audit_default;
@@ -152,8 +153,10 @@ struct audit_buffer {
152 153
153static void audit_set_pid(struct audit_buffer *ab, pid_t pid) 154static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
154{ 155{
155 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); 156 if (ab) {
156 nlh->nlmsg_pid = pid; 157 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
158 nlh->nlmsg_pid = pid;
159 }
157} 160}
158 161
159void audit_panic(const char *message) 162void audit_panic(const char *message)
@@ -163,7 +166,8 @@ void audit_panic(const char *message)
163 case AUDIT_FAIL_SILENT: 166 case AUDIT_FAIL_SILENT:
164 break; 167 break;
165 case AUDIT_FAIL_PRINTK: 168 case AUDIT_FAIL_PRINTK:
166 printk(KERN_ERR "audit: %s\n", message); 169 if (printk_ratelimit())
170 printk(KERN_ERR "audit: %s\n", message);
167 break; 171 break;
168 case AUDIT_FAIL_PANIC: 172 case AUDIT_FAIL_PANIC:
169 panic("audit: %s\n", message); 173 panic("audit: %s\n", message);
@@ -231,161 +235,107 @@ void audit_log_lost(const char *message)
231 } 235 }
232 236
233 if (print) { 237 if (print) {
234 printk(KERN_WARNING 238 if (printk_ratelimit())
235 "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n", 239 printk(KERN_WARNING
236 atomic_read(&audit_lost), 240 "audit: audit_lost=%d audit_rate_limit=%d "
237 audit_rate_limit, 241 "audit_backlog_limit=%d\n",
238 audit_backlog_limit); 242 atomic_read(&audit_lost),
243 audit_rate_limit,
244 audit_backlog_limit);
239 audit_panic(message); 245 audit_panic(message);
240 } 246 }
241} 247}
242 248
243static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 249static int audit_log_config_change(char *function_name, int new, int old,
250 uid_t loginuid, u32 sid, int allow_changes)
244{ 251{
245 int res, rc = 0, old = audit_rate_limit; 252 struct audit_buffer *ab;
246 253 int rc = 0;
247 /* check if we are locked */
248 if (audit_enabled == 2)
249 res = 0;
250 else
251 res = 1;
252 254
255 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
256 audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new,
257 old, loginuid);
253 if (sid) { 258 if (sid) {
254 char *ctx = NULL; 259 char *ctx = NULL;
255 u32 len; 260 u32 len;
256 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 261
257 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 262 rc = selinux_sid_to_string(sid, &ctx, &len);
258 "audit_rate_limit=%d old=%d by auid=%u" 263 if (rc) {
259 " subj=%s res=%d", 264 audit_log_format(ab, " sid=%u", sid);
260 limit, old, loginuid, ctx, res); 265 allow_changes = 0; /* Something weird, deny request */
266 } else {
267 audit_log_format(ab, " subj=%s", ctx);
261 kfree(ctx); 268 kfree(ctx);
262 } else 269 }
263 res = 0; /* Something weird, deny request */
264 } 270 }
265 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 271 audit_log_format(ab, " res=%d", allow_changes);
266 "audit_rate_limit=%d old=%d by auid=%u res=%d", 272 audit_log_end(ab);
267 limit, old, loginuid, res);
268
269 /* If we are allowed, make the change */
270 if (res == 1)
271 audit_rate_limit = limit;
272 /* Not allowed, update reason */
273 else if (rc == 0)
274 rc = -EPERM;
275 return rc; 273 return rc;
276} 274}
277 275
278static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 276static int audit_do_config_change(char *function_name, int *to_change,
277 int new, uid_t loginuid, u32 sid)
279{ 278{
280 int res, rc = 0, old = audit_backlog_limit; 279 int allow_changes, rc = 0, old = *to_change;
281 280
282 /* check if we are locked */ 281 /* check if we are locked */
283 if (audit_enabled == 2) 282 if (audit_enabled == AUDIT_LOCKED)
284 res = 0; 283 allow_changes = 0;
285 else 284 else
286 res = 1; 285 allow_changes = 1;
287 286
288 if (sid) { 287 if (audit_enabled != AUDIT_OFF) {
289 char *ctx = NULL; 288 rc = audit_log_config_change(function_name, new, old,
290 u32 len; 289 loginuid, sid, allow_changes);
291 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) { 290 if (rc)
292 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 291 allow_changes = 0;
293 "audit_backlog_limit=%d old=%d by auid=%u"
294 " subj=%s res=%d",
295 limit, old, loginuid, ctx, res);
296 kfree(ctx);
297 } else
298 res = 0; /* Something weird, deny request */
299 } 292 }
300 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
301 "audit_backlog_limit=%d old=%d by auid=%u res=%d",
302 limit, old, loginuid, res);
303 293
304 /* If we are allowed, make the change */ 294 /* If we are allowed, make the change */
305 if (res == 1) 295 if (allow_changes == 1)
306 audit_backlog_limit = limit; 296 *to_change = new;
307 /* Not allowed, update reason */ 297 /* Not allowed, update reason */
308 else if (rc == 0) 298 else if (rc == 0)
309 rc = -EPERM; 299 rc = -EPERM;
310 return rc; 300 return rc;
311} 301}
312 302
313static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 303static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
304{
305 return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
306 limit, loginuid, sid);
307}
308
309static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
314{ 310{
315 int res, rc = 0, old = audit_enabled; 311 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
312 limit, loginuid, sid);
313}
316 314
317 if (state < 0 || state > 2) 315static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
316{
317 int rc;
318 if (state < AUDIT_OFF || state > AUDIT_LOCKED)
318 return -EINVAL; 319 return -EINVAL;
319 320
320 /* check if we are locked */ 321 rc = audit_do_config_change("audit_enabled", &audit_enabled, state,
321 if (audit_enabled == 2) 322 loginuid, sid);
322 res = 0;
323 else
324 res = 1;
325 323
326 if (sid) { 324 if (!rc)
327 char *ctx = NULL; 325 audit_ever_enabled |= !!state;
328 u32 len;
329 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
330 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
331 "audit_enabled=%d old=%d by auid=%u"
332 " subj=%s res=%d",
333 state, old, loginuid, ctx, res);
334 kfree(ctx);
335 } else
336 res = 0; /* Something weird, deny request */
337 }
338 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
339 "audit_enabled=%d old=%d by auid=%u res=%d",
340 state, old, loginuid, res);
341 326
342 /* If we are allowed, make the change */
343 if (res == 1)
344 audit_enabled = state;
345 /* Not allowed, update reason */
346 else if (rc == 0)
347 rc = -EPERM;
348 return rc; 327 return rc;
349} 328}
350 329
351static int audit_set_failure(int state, uid_t loginuid, u32 sid) 330static int audit_set_failure(int state, uid_t loginuid, u32 sid)
352{ 331{
353 int res, rc = 0, old = audit_failure;
354
355 if (state != AUDIT_FAIL_SILENT 332 if (state != AUDIT_FAIL_SILENT
356 && state != AUDIT_FAIL_PRINTK 333 && state != AUDIT_FAIL_PRINTK
357 && state != AUDIT_FAIL_PANIC) 334 && state != AUDIT_FAIL_PANIC)
358 return -EINVAL; 335 return -EINVAL;
359 336
360 /* check if we are locked */ 337 return audit_do_config_change("audit_failure", &audit_failure, state,
361 if (audit_enabled == 2) 338 loginuid, sid);
362 res = 0;
363 else
364 res = 1;
365
366 if (sid) {
367 char *ctx = NULL;
368 u32 len;
369 if ((rc = selinux_sid_to_string(sid, &ctx, &len)) == 0) {
370 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
371 "audit_failure=%d old=%d by auid=%u"
372 " subj=%s res=%d",
373 state, old, loginuid, ctx, res);
374 kfree(ctx);
375 } else
376 res = 0; /* Something weird, deny request */
377 }
378 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
379 "audit_failure=%d old=%d by auid=%u res=%d",
380 state, old, loginuid, res);
381
382 /* If we are allowed, make the change */
383 if (res == 1)
384 audit_failure = state;
385 /* Not allowed, update reason */
386 else if (rc == 0)
387 rc = -EPERM;
388 return rc;
389} 339}
390 340
391static int kauditd_thread(void *dummy) 341static int kauditd_thread(void *dummy)
@@ -405,7 +355,11 @@ static int kauditd_thread(void *dummy)
405 audit_pid = 0; 355 audit_pid = 0;
406 } 356 }
407 } else { 357 } else {
408 printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0)); 358 if (printk_ratelimit())
359 printk(KERN_NOTICE "%s\n", skb->data +
360 NLMSG_SPACE(0));
361 else
362 audit_log_lost("printk limit exceeded\n");
409 kfree_skb(skb); 363 kfree_skb(skb);
410 } 364 }
411 } else { 365 } else {
@@ -573,6 +527,33 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
573 return err; 527 return err;
574} 528}
575 529
530static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
531 u32 pid, u32 uid, uid_t auid, u32 sid)
532{
533 int rc = 0;
534 char *ctx = NULL;
535 u32 len;
536
537 if (!audit_enabled) {
538 *ab = NULL;
539 return rc;
540 }
541
542 *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
543 audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
544 pid, uid, auid);
545 if (sid) {
546 rc = selinux_sid_to_string(sid, &ctx, &len);
547 if (rc)
548 audit_log_format(*ab, " ssid=%u", sid);
549 else
550 audit_log_format(*ab, " subj=%s", ctx);
551 kfree(ctx);
552 }
553
554 return rc;
555}
556
576static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) 557static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
577{ 558{
578 u32 uid, pid, seq, sid; 559 u32 uid, pid, seq, sid;
@@ -583,7 +564,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
583 u16 msg_type = nlh->nlmsg_type; 564 u16 msg_type = nlh->nlmsg_type;
584 uid_t loginuid; /* loginuid of sender */ 565 uid_t loginuid; /* loginuid of sender */
585 struct audit_sig_info *sig_data; 566 struct audit_sig_info *sig_data;
586 char *ctx; 567 char *ctx = NULL;
587 u32 len; 568 u32 len;
588 569
589 err = audit_netlink_ok(skb, msg_type); 570 err = audit_netlink_ok(skb, msg_type);
@@ -634,23 +615,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
634 if (err < 0) return err; 615 if (err < 0) return err;
635 } 616 }
636 if (status_get->mask & AUDIT_STATUS_PID) { 617 if (status_get->mask & AUDIT_STATUS_PID) {
637 int old = audit_pid; 618 int new_pid = status_get->pid;
638 if (sid) { 619
639 if ((err = selinux_sid_to_string( 620 if (audit_enabled != AUDIT_OFF)
640 sid, &ctx, &len))) 621 audit_log_config_change("audit_pid", new_pid,
641 return err; 622 audit_pid, loginuid,
642 else 623 sid, 1);
643 audit_log(NULL, GFP_KERNEL, 624
644 AUDIT_CONFIG_CHANGE, 625 audit_pid = new_pid;
645 "audit_pid=%d old=%d by auid=%u subj=%s",
646 status_get->pid, old,
647 loginuid, ctx);
648 kfree(ctx);
649 } else
650 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
651 "audit_pid=%d old=%d by auid=%u",
652 status_get->pid, old, loginuid);
653 audit_pid = status_get->pid;
654 } 626 }
655 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 627 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
656 err = audit_set_rate_limit(status_get->rate_limit, 628 err = audit_set_rate_limit(status_get->rate_limit,
@@ -673,64 +645,35 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
673 if (err) 645 if (err)
674 break; 646 break;
675 } 647 }
676 ab = audit_log_start(NULL, GFP_KERNEL, msg_type); 648 audit_log_common_recv_msg(&ab, msg_type, pid, uid,
677 if (ab) { 649 loginuid, sid);
678 audit_log_format(ab, 650
679 "user pid=%d uid=%u auid=%u", 651 if (msg_type != AUDIT_USER_TTY)
680 pid, uid, loginuid); 652 audit_log_format(ab, " msg='%.1024s'",
681 if (sid) { 653 (char *)data);
682 if (selinux_sid_to_string( 654 else {
683 sid, &ctx, &len)) { 655 int size;
684 audit_log_format(ab, 656
685 " ssid=%u", sid); 657 audit_log_format(ab, " msg=");
686 /* Maybe call audit_panic? */ 658 size = nlmsg_len(nlh);
687 } else 659 audit_log_n_untrustedstring(ab, size,
688 audit_log_format(ab, 660 data);
689 " subj=%s", ctx);
690 kfree(ctx);
691 }
692 if (msg_type != AUDIT_USER_TTY)
693 audit_log_format(ab, " msg='%.1024s'",
694 (char *)data);
695 else {
696 int size;
697
698 audit_log_format(ab, " msg=");
699 size = nlmsg_len(nlh);
700 audit_log_n_untrustedstring(ab, size,
701 data);
702 }
703 audit_set_pid(ab, pid);
704 audit_log_end(ab);
705 } 661 }
662 audit_set_pid(ab, pid);
663 audit_log_end(ab);
706 } 664 }
707 break; 665 break;
708 case AUDIT_ADD: 666 case AUDIT_ADD:
709 case AUDIT_DEL: 667 case AUDIT_DEL:
710 if (nlmsg_len(nlh) < sizeof(struct audit_rule)) 668 if (nlmsg_len(nlh) < sizeof(struct audit_rule))
711 return -EINVAL; 669 return -EINVAL;
712 if (audit_enabled == 2) { 670 if (audit_enabled == AUDIT_LOCKED) {
713 ab = audit_log_start(NULL, GFP_KERNEL, 671 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
714 AUDIT_CONFIG_CHANGE); 672 uid, loginuid, sid);
715 if (ab) { 673
716 audit_log_format(ab, 674 audit_log_format(ab, " audit_enabled=%d res=0",
717 "pid=%d uid=%u auid=%u", 675 audit_enabled);
718 pid, uid, loginuid); 676 audit_log_end(ab);
719 if (sid) {
720 if (selinux_sid_to_string(
721 sid, &ctx, &len)) {
722 audit_log_format(ab,
723 " ssid=%u", sid);
724 /* Maybe call audit_panic? */
725 } else
726 audit_log_format(ab,
727 " subj=%s", ctx);
728 kfree(ctx);
729 }
730 audit_log_format(ab, " audit_enabled=%d res=0",
731 audit_enabled);
732 audit_log_end(ab);
733 }
734 return -EPERM; 677 return -EPERM;
735 } 678 }
736 /* fallthrough */ 679 /* fallthrough */
@@ -743,28 +686,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
743 case AUDIT_DEL_RULE: 686 case AUDIT_DEL_RULE:
744 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) 687 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
745 return -EINVAL; 688 return -EINVAL;
746 if (audit_enabled == 2) { 689 if (audit_enabled == AUDIT_LOCKED) {
747 ab = audit_log_start(NULL, GFP_KERNEL, 690 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
748 AUDIT_CONFIG_CHANGE); 691 uid, loginuid, sid);
749 if (ab) { 692
750 audit_log_format(ab, 693 audit_log_format(ab, " audit_enabled=%d res=0",
751 "pid=%d uid=%u auid=%u", 694 audit_enabled);
752 pid, uid, loginuid); 695 audit_log_end(ab);
753 if (sid) {
754 if (selinux_sid_to_string(
755 sid, &ctx, &len)) {
756 audit_log_format(ab,
757 " ssid=%u", sid);
758 /* Maybe call audit_panic? */
759 } else
760 audit_log_format(ab,
761 " subj=%s", ctx);
762 kfree(ctx);
763 }
764 audit_log_format(ab, " audit_enabled=%d res=0",
765 audit_enabled);
766 audit_log_end(ab);
767 }
768 return -EPERM; 696 return -EPERM;
769 } 697 }
770 /* fallthrough */ 698 /* fallthrough */
@@ -775,19 +703,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
775 break; 703 break;
776 case AUDIT_TRIM: 704 case AUDIT_TRIM:
777 audit_trim_trees(); 705 audit_trim_trees();
778 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 706
779 if (!ab) 707 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
780 break; 708 uid, loginuid, sid);
781 audit_log_format(ab, "auid=%u", loginuid); 709
782 if (sid) {
783 u32 len;
784 ctx = NULL;
785 if (selinux_sid_to_string(sid, &ctx, &len))
786 audit_log_format(ab, " ssid=%u", sid);
787 else
788 audit_log_format(ab, " subj=%s", ctx);
789 kfree(ctx);
790 }
791 audit_log_format(ab, " op=trim res=1"); 710 audit_log_format(ab, " op=trim res=1");
792 audit_log_end(ab); 711 audit_log_end(ab);
793 break; 712 break;
@@ -817,22 +736,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
817 /* OK, here comes... */ 736 /* OK, here comes... */
818 err = audit_tag_tree(old, new); 737 err = audit_tag_tree(old, new);
819 738
820 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 739 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
821 if (!ab) { 740 uid, loginuid, sid);
822 kfree(old); 741
823 kfree(new);
824 break;
825 }
826 audit_log_format(ab, "auid=%u", loginuid);
827 if (sid) {
828 u32 len;
829 ctx = NULL;
830 if (selinux_sid_to_string(sid, &ctx, &len))
831 audit_log_format(ab, " ssid=%u", sid);
832 else
833 audit_log_format(ab, " subj=%s", ctx);
834 kfree(ctx);
835 }
836 audit_log_format(ab, " op=make_equiv old="); 742 audit_log_format(ab, " op=make_equiv old=");
837 audit_log_untrustedstring(ab, old); 743 audit_log_untrustedstring(ab, old);
838 audit_log_format(ab, " new="); 744 audit_log_format(ab, " new=");
@@ -965,6 +871,7 @@ static int __init audit_init(void)
965 skb_queue_head_init(&audit_skb_queue); 871 skb_queue_head_init(&audit_skb_queue);
966 audit_initialized = 1; 872 audit_initialized = 1;
967 audit_enabled = audit_default; 873 audit_enabled = audit_default;
874 audit_ever_enabled |= !!audit_default;
968 875
969 /* Register the callback with selinux. This callback will be invoked 876 /* Register the callback with selinux. This callback will be invoked
970 * when a new policy is loaded. */ 877 * when a new policy is loaded. */
@@ -992,8 +899,10 @@ static int __init audit_enable(char *str)
992 printk(KERN_INFO "audit: %s%s\n", 899 printk(KERN_INFO "audit: %s%s\n",
993 audit_default ? "enabled" : "disabled", 900 audit_default ? "enabled" : "disabled",
994 audit_initialized ? "" : " (after initialization)"); 901 audit_initialized ? "" : " (after initialization)");
995 if (audit_initialized) 902 if (audit_initialized) {
996 audit_enabled = audit_default; 903 audit_enabled = audit_default;
904 audit_ever_enabled |= !!audit_default;
905 }
997 return 1; 906 return 1;
998} 907}
999 908
@@ -1130,7 +1039,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1130{ 1039{
1131 struct audit_buffer *ab = NULL; 1040 struct audit_buffer *ab = NULL;
1132 struct timespec t; 1041 struct timespec t;
1133 unsigned int serial; 1042 unsigned int uninitialized_var(serial);
1134 int reserve; 1043 int reserve;
1135 unsigned long timeout_start = jiffies; 1044 unsigned long timeout_start = jiffies;
1136 1045
@@ -1164,7 +1073,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
1164 remove_wait_queue(&audit_backlog_wait, &wait); 1073 remove_wait_queue(&audit_backlog_wait, &wait);
1165 continue; 1074 continue;
1166 } 1075 }
1167 if (audit_rate_check()) 1076 if (audit_rate_check() && printk_ratelimit())
1168 printk(KERN_WARNING 1077 printk(KERN_WARNING
1169 "audit: audit_backlog=%d > " 1078 "audit: audit_backlog=%d > "
1170 "audit_backlog_limit=%d\n", 1079 "audit_backlog_limit=%d\n",
@@ -1249,6 +1158,7 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
1249 goto out; 1158 goto out;
1250 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2); 1159 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
1251 } 1160 }
1161 va_end(args2);
1252 if (len > 0) 1162 if (len > 0)
1253 skb_put(skb, len); 1163 skb_put(skb, len);
1254out: 1164out:
@@ -1350,6 +1260,21 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
1350} 1260}
1351 1261
1352/** 1262/**
1263 * audit_string_contains_control - does a string need to be logged in hex
1264 * @string - string to be checked
1265 * @len - max length of the string to check
1266 */
1267int audit_string_contains_control(const char *string, size_t len)
1268{
1269 const unsigned char *p;
1270 for (p = string; p < (const unsigned char *)string + len && *p; p++) {
1271 if (*p == '"' || *p < 0x21 || *p > 0x7f)
1272 return 1;
1273 }
1274 return 0;
1275}
1276
1277/**
1353 * audit_log_n_untrustedstring - log a string that may contain random characters 1278 * audit_log_n_untrustedstring - log a string that may contain random characters
1354 * @ab: audit_buffer 1279 * @ab: audit_buffer
1355 * @len: lenth of string (not including trailing null) 1280 * @len: lenth of string (not including trailing null)
@@ -1363,19 +1288,13 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
1363 * The caller specifies the number of characters in the string to log, which may 1288 * The caller specifies the number of characters in the string to log, which may
1364 * or may not be the entire string. 1289 * or may not be the entire string.
1365 */ 1290 */
1366const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len, 1291void audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
1367 const char *string) 1292 const char *string)
1368{ 1293{
1369 const unsigned char *p; 1294 if (audit_string_contains_control(string, len))
1370 1295 audit_log_hex(ab, string, len);
1371 for (p = string; p < (const unsigned char *)string + len && *p; p++) { 1296 else
1372 if (*p == '"' || *p < 0x21 || *p > 0x7f) { 1297 audit_log_n_string(ab, len, string);
1373 audit_log_hex(ab, string, len);
1374 return string + len + 1;
1375 }
1376 }
1377 audit_log_n_string(ab, len, string);
1378 return p + 1;
1379} 1298}
1380 1299
1381/** 1300/**
@@ -1386,9 +1305,9 @@ const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
1386 * Same as audit_log_n_untrustedstring(), except that strlen is used to 1305 * Same as audit_log_n_untrustedstring(), except that strlen is used to
1387 * determine string length. 1306 * determine string length.
1388 */ 1307 */
1389const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 1308void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
1390{ 1309{
1391 return audit_log_n_untrustedstring(ab, strlen(string), string); 1310 audit_log_n_untrustedstring(ab, strlen(string), string);
1392} 1311}
1393 1312
1394/* This is a helper-function to print the escaped d_path */ 1313/* This is a helper-function to print the escaped d_path */
@@ -1437,8 +1356,11 @@ void audit_log_end(struct audit_buffer *ab)
1437 skb_queue_tail(&audit_skb_queue, ab->skb); 1356 skb_queue_tail(&audit_skb_queue, ab->skb);
1438 ab->skb = NULL; 1357 ab->skb = NULL;
1439 wake_up_interruptible(&kauditd_wait); 1358 wake_up_interruptible(&kauditd_wait);
1359 } else if (printk_ratelimit()) {
1360 struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1361 printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
1440 } else { 1362 } else {
1441 printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0)); 1363 audit_log_lost("printk limit exceeded\n");
1442 } 1364 }
1443 } 1365 }
1444 audit_buffer_free(ab); 1366 audit_buffer_free(ab);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 5d96f2cc7be8..6f19fd477aac 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
95/* Inotify events we care about. */ 95/* Inotify events we care about. */
96#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF 96#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
97 97
98extern int audit_enabled;
99
98void audit_free_parent(struct inotify_watch *i_watch) 100void audit_free_parent(struct inotify_watch *i_watch)
99{ 101{
100 struct audit_parent *parent; 102 struct audit_parent *parent;
@@ -974,7 +976,6 @@ static void audit_update_watch(struct audit_parent *parent,
974 struct audit_watch *owatch, *nwatch, *nextw; 976 struct audit_watch *owatch, *nwatch, *nextw;
975 struct audit_krule *r, *nextr; 977 struct audit_krule *r, *nextr;
976 struct audit_entry *oentry, *nentry; 978 struct audit_entry *oentry, *nentry;
977 struct audit_buffer *ab;
978 979
979 mutex_lock(&audit_filter_mutex); 980 mutex_lock(&audit_filter_mutex);
980 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { 981 list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -1014,13 +1015,18 @@ static void audit_update_watch(struct audit_parent *parent,
1014 call_rcu(&oentry->rcu, audit_free_rule_rcu); 1015 call_rcu(&oentry->rcu, audit_free_rule_rcu);
1015 } 1016 }
1016 1017
1017 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1018 if (audit_enabled) {
1018 audit_log_format(ab, "op=updated rules specifying path="); 1019 struct audit_buffer *ab;
1019 audit_log_untrustedstring(ab, owatch->path); 1020 ab = audit_log_start(NULL, GFP_KERNEL,
1020 audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); 1021 AUDIT_CONFIG_CHANGE);
1021 audit_log_format(ab, " list=%d res=1", r->listnr); 1022 audit_log_format(ab,
1022 audit_log_end(ab); 1023 "op=updated rules specifying path=");
1023 1024 audit_log_untrustedstring(ab, owatch->path);
1025 audit_log_format(ab, " with dev=%u ino=%lu\n",
1026 dev, ino);
1027 audit_log_format(ab, " list=%d res=1", r->listnr);
1028 audit_log_end(ab);
1029 }
1024 audit_remove_watch(owatch); 1030 audit_remove_watch(owatch);
1025 goto add_watch_to_parent; /* event applies to a single watch */ 1031 goto add_watch_to_parent; /* event applies to a single watch */
1026 } 1032 }
@@ -1039,25 +1045,28 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
1039 struct audit_watch *w, *nextw; 1045 struct audit_watch *w, *nextw;
1040 struct audit_krule *r, *nextr; 1046 struct audit_krule *r, *nextr;
1041 struct audit_entry *e; 1047 struct audit_entry *e;
1042 struct audit_buffer *ab;
1043 1048
1044 mutex_lock(&audit_filter_mutex); 1049 mutex_lock(&audit_filter_mutex);
1045 parent->flags |= AUDIT_PARENT_INVALID; 1050 parent->flags |= AUDIT_PARENT_INVALID;
1046 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { 1051 list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
1047 list_for_each_entry_safe(r, nextr, &w->rules, rlist) { 1052 list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
1048 e = container_of(r, struct audit_entry, rule); 1053 e = container_of(r, struct audit_entry, rule);
1049 1054 if (audit_enabled) {
1050 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1055 struct audit_buffer *ab;
1051 audit_log_format(ab, "op=remove rule path="); 1056 ab = audit_log_start(NULL, GFP_KERNEL,
1052 audit_log_untrustedstring(ab, w->path); 1057 AUDIT_CONFIG_CHANGE);
1053 if (r->filterkey) { 1058 audit_log_format(ab, "op=remove rule path=");
1054 audit_log_format(ab, " key="); 1059 audit_log_untrustedstring(ab, w->path);
1055 audit_log_untrustedstring(ab, r->filterkey); 1060 if (r->filterkey) {
1056 } else 1061 audit_log_format(ab, " key=");
1057 audit_log_format(ab, " key=(null)"); 1062 audit_log_untrustedstring(ab,
1058 audit_log_format(ab, " list=%d res=1", r->listnr); 1063 r->filterkey);
1059 audit_log_end(ab); 1064 } else
1060 1065 audit_log_format(ab, " key=(null)");
1066 audit_log_format(ab, " list=%d res=1",
1067 r->listnr);
1068 audit_log_end(ab);
1069 }
1061 list_del(&r->rlist); 1070 list_del(&r->rlist);
1062 list_del_rcu(&e->list); 1071 list_del_rcu(&e->list);
1063 call_rcu(&e->rcu, audit_free_rule_rcu); 1072 call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1495,6 +1504,9 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1495{ 1504{
1496 struct audit_buffer *ab; 1505 struct audit_buffer *ab;
1497 1506
1507 if (!audit_enabled)
1508 return;
1509
1498 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1510 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1499 if (!ab) 1511 if (!ab)
1500 return; 1512 return;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bce9ecdb7712..1c06ecf38d7b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -70,6 +70,7 @@
70#include "audit.h" 70#include "audit.h"
71 71
72extern struct list_head audit_filter_list[]; 72extern struct list_head audit_filter_list[];
73extern int audit_ever_enabled;
73 74
74/* AUDIT_NAMES is the number of slots we reserve in the audit_context 75/* AUDIT_NAMES is the number of slots we reserve in the audit_context
75 * for saving names from getname(). */ 76 * for saving names from getname(). */
@@ -78,6 +79,9 @@ extern struct list_head audit_filter_list[];
78/* Indicates that audit should log the full pathname. */ 79/* Indicates that audit should log the full pathname. */
79#define AUDIT_NAME_FULL -1 80#define AUDIT_NAME_FULL -1
80 81
82/* no execve audit message should be longer than this (userspace limits) */
83#define MAX_EXECVE_AUDIT_LEN 7500
84
81/* number of audit rules */ 85/* number of audit rules */
82int audit_n_rules; 86int audit_n_rules;
83 87
@@ -176,7 +180,11 @@ struct audit_aux_data_fd_pair {
176struct audit_aux_data_pids { 180struct audit_aux_data_pids {
177 struct audit_aux_data d; 181 struct audit_aux_data d;
178 pid_t target_pid[AUDIT_AUX_PIDS]; 182 pid_t target_pid[AUDIT_AUX_PIDS];
183 uid_t target_auid[AUDIT_AUX_PIDS];
184 uid_t target_uid[AUDIT_AUX_PIDS];
185 unsigned int target_sessionid[AUDIT_AUX_PIDS];
179 u32 target_sid[AUDIT_AUX_PIDS]; 186 u32 target_sid[AUDIT_AUX_PIDS];
187 char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
180 int pid_count; 188 int pid_count;
181}; 189};
182 190
@@ -192,7 +200,6 @@ struct audit_context {
192 enum audit_state state; 200 enum audit_state state;
193 unsigned int serial; /* serial number for record */ 201 unsigned int serial; /* serial number for record */
194 struct timespec ctime; /* time of syscall entry */ 202 struct timespec ctime; /* time of syscall entry */
195 uid_t loginuid; /* login uid (identity) */
196 int major; /* syscall number */ 203 int major; /* syscall number */
197 unsigned long argv[4]; /* syscall arguments */ 204 unsigned long argv[4]; /* syscall arguments */
198 int return_valid; /* return code is valid */ 205 int return_valid; /* return code is valid */
@@ -215,7 +222,11 @@ struct audit_context {
215 int arch; 222 int arch;
216 223
217 pid_t target_pid; 224 pid_t target_pid;
225 uid_t target_auid;
226 uid_t target_uid;
227 unsigned int target_sessionid;
218 u32 target_sid; 228 u32 target_sid;
229 char target_comm[TASK_COMM_LEN];
219 230
220 struct audit_tree_refs *trees, *first_trees; 231 struct audit_tree_refs *trees, *first_trees;
221 int tree_count; 232 int tree_count;
@@ -506,7 +517,7 @@ static int audit_filter_rules(struct task_struct *tsk,
506 case AUDIT_LOGINUID: 517 case AUDIT_LOGINUID:
507 result = 0; 518 result = 0;
508 if (ctx) 519 if (ctx)
509 result = audit_comparator(ctx->loginuid, f->op, f->val); 520 result = audit_comparator(tsk->loginuid, f->op, f->val);
510 break; 521 break;
511 case AUDIT_SUBJ_USER: 522 case AUDIT_SUBJ_USER:
512 case AUDIT_SUBJ_ROLE: 523 case AUDIT_SUBJ_ROLE:
@@ -702,7 +713,24 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
702 if (likely(!context)) 713 if (likely(!context))
703 return NULL; 714 return NULL;
704 context->return_valid = return_valid; 715 context->return_valid = return_valid;
705 context->return_code = return_code; 716
717 /*
718 * we need to fix up the return code in the audit logs if the actual
719 * return codes are later going to be fixed up by the arch specific
720 * signal handlers
721 *
722 * This is actually a test for:
723 * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) ||
724 * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK)
725 *
726 * but is faster than a bunch of ||
727 */
728 if (unlikely(return_code <= -ERESTARTSYS) &&
729 (return_code >= -ERESTART_RESTARTBLOCK) &&
730 (return_code != -ENOIOCTLCMD))
731 context->return_code = -EINTR;
732 else
733 context->return_code = return_code;
706 734
707 if (context->in_syscall && !context->dummy && !context->auditable) { 735 if (context->in_syscall && !context->dummy && !context->auditable) {
708 enum audit_state state; 736 enum audit_state state;
@@ -783,11 +811,8 @@ static inline void audit_free_aux(struct audit_context *context)
783static inline void audit_zero_context(struct audit_context *context, 811static inline void audit_zero_context(struct audit_context *context,
784 enum audit_state state) 812 enum audit_state state)
785{ 813{
786 uid_t loginuid = context->loginuid;
787
788 memset(context, 0, sizeof(*context)); 814 memset(context, 0, sizeof(*context));
789 context->state = state; 815 context->state = state;
790 context->loginuid = loginuid;
791} 816}
792 817
793static inline struct audit_context *audit_alloc_context(enum audit_state state) 818static inline struct audit_context *audit_alloc_context(enum audit_state state)
@@ -814,7 +839,7 @@ int audit_alloc(struct task_struct *tsk)
814 struct audit_context *context; 839 struct audit_context *context;
815 enum audit_state state; 840 enum audit_state state;
816 841
817 if (likely(!audit_enabled)) 842 if (likely(!audit_ever_enabled))
818 return 0; /* Return if not auditing. */ 843 return 0; /* Return if not auditing. */
819 844
820 state = audit_filter_task(tsk); 845 state = audit_filter_task(tsk);
@@ -826,11 +851,6 @@ int audit_alloc(struct task_struct *tsk)
826 return -ENOMEM; 851 return -ENOMEM;
827 } 852 }
828 853
829 /* Preserve login uid */
830 context->loginuid = -1;
831 if (current->audit_context)
832 context->loginuid = current->audit_context->loginuid;
833
834 tsk->audit_context = context; 854 tsk->audit_context = context;
835 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT); 855 set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
836 return 0; 856 return 0;
@@ -922,7 +942,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
922} 942}
923 943
924static int audit_log_pid_context(struct audit_context *context, pid_t pid, 944static int audit_log_pid_context(struct audit_context *context, pid_t pid,
925 u32 sid) 945 uid_t auid, uid_t uid, unsigned int sessionid,
946 u32 sid, char *comm)
926{ 947{
927 struct audit_buffer *ab; 948 struct audit_buffer *ab;
928 char *s = NULL; 949 char *s = NULL;
@@ -931,68 +952,204 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
931 952
932 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); 953 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
933 if (!ab) 954 if (!ab)
934 return 1; 955 return rc;
935 956
957 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
958 uid, sessionid);
936 if (selinux_sid_to_string(sid, &s, &len)) { 959 if (selinux_sid_to_string(sid, &s, &len)) {
937 audit_log_format(ab, "opid=%d obj=(none)", pid); 960 audit_log_format(ab, " obj=(none)");
938 rc = 1; 961 rc = 1;
939 } else 962 } else
940 audit_log_format(ab, "opid=%d obj=%s", pid, s); 963 audit_log_format(ab, " obj=%s", s);
964 audit_log_format(ab, " ocomm=");
965 audit_log_untrustedstring(ab, comm);
941 audit_log_end(ab); 966 audit_log_end(ab);
942 kfree(s); 967 kfree(s);
943 968
944 return rc; 969 return rc;
945} 970}
946 971
947static void audit_log_execve_info(struct audit_buffer *ab, 972/*
948 struct audit_aux_data_execve *axi) 973 * to_send and len_sent accounting are very loose estimates. We aren't
974 * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
975 * within about 500 bytes (next page boundry)
976 *
977 * why snprintf? an int is up to 12 digits long. if we just assumed when
978 * logging that a[%d]= was going to be 16 characters long we would be wasting
979 * space in every audit message. In one 7500 byte message we can log up to
980 * about 1000 min size arguments. That comes down to about 50% waste of space
981 * if we didn't do the snprintf to find out how long arg_num_len was.
982 */
983static int audit_log_single_execve_arg(struct audit_context *context,
984 struct audit_buffer **ab,
985 int arg_num,
986 size_t *len_sent,
987 const char __user *p,
988 char *buf)
949{ 989{
950 int i; 990 char arg_num_len_buf[12];
951 long len, ret; 991 const char __user *tmp_p = p;
952 const char __user *p; 992 /* how many digits are in arg_num? 3 is the length of a=\n */
953 char *buf; 993 size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3;
994 size_t len, len_left, to_send;
995 size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
996 unsigned int i, has_cntl = 0, too_long = 0;
997 int ret;
998
999 /* strnlen_user includes the null we don't want to send */
1000 len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
954 1001
955 if (axi->mm != current->mm) 1002 /*
956 return; /* execve failed, no additional info */ 1003 * We just created this mm, if we can't find the strings
957 1004 * we just copied into it something is _very_ wrong. Similar
958 p = (const char __user *)axi->mm->arg_start; 1005 * for strings that are too long, we should not have created
1006 * any.
1007 */
1008 if (unlikely((len = -1) || len > MAX_ARG_STRLEN - 1)) {
1009 WARN_ON(1);
1010 send_sig(SIGKILL, current, 0);
1011 }
959 1012
960 for (i = 0; i < axi->argc; i++, p += len) { 1013 /* walk the whole argument looking for non-ascii chars */
961 len = strnlen_user(p, MAX_ARG_STRLEN); 1014 do {
1015 if (len_left > MAX_EXECVE_AUDIT_LEN)
1016 to_send = MAX_EXECVE_AUDIT_LEN;
1017 else
1018 to_send = len_left;
1019 ret = copy_from_user(buf, tmp_p, to_send);
962 /* 1020 /*
963 * We just created this mm, if we can't find the strings 1021 * There is no reason for this copy to be short. We just
964 * we just copied into it something is _very_ wrong. Similar 1022 * copied them here, and the mm hasn't been exposed to user-
965 * for strings that are too long, we should not have created 1023 * space yet.
966 * any.
967 */ 1024 */
968 if (!len || len > MAX_ARG_STRLEN) { 1025 if (ret) {
969 WARN_ON(1); 1026 WARN_ON(1);
970 send_sig(SIGKILL, current, 0); 1027 send_sig(SIGKILL, current, 0);
971 } 1028 }
972 1029 buf[to_send] = '\0';
973 buf = kmalloc(len, GFP_KERNEL); 1030 has_cntl = audit_string_contains_control(buf, to_send);
974 if (!buf) { 1031 if (has_cntl) {
975 audit_panic("out of memory for argv string\n"); 1032 /*
1033 * hex messages get logged as 2 bytes, so we can only
1034 * send half as much in each message
1035 */
1036 max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
976 break; 1037 break;
977 } 1038 }
1039 len_left -= to_send;
1040 tmp_p += to_send;
1041 } while (len_left > 0);
1042
1043 len_left = len;
1044
1045 if (len > max_execve_audit_len)
1046 too_long = 1;
1047
1048 /* rewalk the argument actually logging the message */
1049 for (i = 0; len_left > 0; i++) {
1050 int room_left;
1051
1052 if (len_left > max_execve_audit_len)
1053 to_send = max_execve_audit_len;
1054 else
1055 to_send = len_left;
1056
1057 /* do we have space left to send this argument in this ab? */
1058 room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
1059 if (has_cntl)
1060 room_left -= (to_send * 2);
1061 else
1062 room_left -= to_send;
1063 if (room_left < 0) {
1064 *len_sent = 0;
1065 audit_log_end(*ab);
1066 *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
1067 if (!*ab)
1068 return 0;
1069 }
978 1070
979 ret = copy_from_user(buf, p, len);
980 /* 1071 /*
981 * There is no reason for this copy to be short. We just 1072 * first record needs to say how long the original string was
982 * copied them here, and the mm hasn't been exposed to user- 1073 * so we can be sure nothing was lost.
983 * space yet. 1074 */
1075 if ((i == 0) && (too_long))
1076 audit_log_format(*ab, "a%d_len=%ld ", arg_num,
1077 has_cntl ? 2*len : len);
1078
1079 /*
1080 * normally arguments are small enough to fit and we already
1081 * filled buf above when we checked for control characters
1082 * so don't bother with another copy_from_user
984 */ 1083 */
1084 if (len >= max_execve_audit_len)
1085 ret = copy_from_user(buf, p, to_send);
1086 else
1087 ret = 0;
985 if (ret) { 1088 if (ret) {
986 WARN_ON(1); 1089 WARN_ON(1);
987 send_sig(SIGKILL, current, 0); 1090 send_sig(SIGKILL, current, 0);
988 } 1091 }
1092 buf[to_send] = '\0';
1093
1094 /* actually log it */
1095 audit_log_format(*ab, "a%d", arg_num);
1096 if (too_long)
1097 audit_log_format(*ab, "[%d]", i);
1098 audit_log_format(*ab, "=");
1099 if (has_cntl)
1100 audit_log_hex(*ab, buf, to_send);
1101 else
1102 audit_log_format(*ab, "\"%s\"", buf);
1103 audit_log_format(*ab, "\n");
1104
1105 p += to_send;
1106 len_left -= to_send;
1107 *len_sent += arg_num_len;
1108 if (has_cntl)
1109 *len_sent += to_send * 2;
1110 else
1111 *len_sent += to_send;
1112 }
1113 /* include the null we didn't log */
1114 return len + 1;
1115}
989 1116
990 audit_log_format(ab, "a%d=", i); 1117static void audit_log_execve_info(struct audit_context *context,
991 audit_log_untrustedstring(ab, buf); 1118 struct audit_buffer **ab,
992 audit_log_format(ab, "\n"); 1119 struct audit_aux_data_execve *axi)
1120{
1121 int i;
1122 size_t len, len_sent = 0;
1123 const char __user *p;
1124 char *buf;
1125
1126 if (axi->mm != current->mm)
1127 return; /* execve failed, no additional info */
1128
1129 p = (const char __user *)axi->mm->arg_start;
1130
1131 audit_log_format(*ab, "argc=%d ", axi->argc);
1132
1133 /*
1134 * we need some kernel buffer to hold the userspace args. Just
1135 * allocate one big one rather than allocating one of the right size
1136 * for every single argument inside audit_log_single_execve_arg()
1137 * should be <8k allocation so should be pretty safe.
1138 */
1139 buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
1140 if (!buf) {
1141 audit_panic("out of memory for argv string\n");
1142 return;
1143 }
993 1144
994 kfree(buf); 1145 for (i = 0; i < axi->argc; i++) {
1146 len = audit_log_single_execve_arg(context, ab, i,
1147 &len_sent, p, buf);
1148 if (len <= 0)
1149 break;
1150 p += len;
995 } 1151 }
1152 kfree(buf);
996} 1153}
997 1154
998static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) 1155static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
@@ -1039,7 +1196,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1039 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d" 1196 " a0=%lx a1=%lx a2=%lx a3=%lx items=%d"
1040 " ppid=%d pid=%d auid=%u uid=%u gid=%u" 1197 " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1041 " euid=%u suid=%u fsuid=%u" 1198 " euid=%u suid=%u fsuid=%u"
1042 " egid=%u sgid=%u fsgid=%u tty=%s", 1199 " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1043 context->argv[0], 1200 context->argv[0],
1044 context->argv[1], 1201 context->argv[1],
1045 context->argv[2], 1202 context->argv[2],
@@ -1047,11 +1204,12 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1047 context->name_count, 1204 context->name_count,
1048 context->ppid, 1205 context->ppid,
1049 context->pid, 1206 context->pid,
1050 context->loginuid, 1207 tsk->loginuid,
1051 context->uid, 1208 context->uid,
1052 context->gid, 1209 context->gid,
1053 context->euid, context->suid, context->fsuid, 1210 context->euid, context->suid, context->fsuid,
1054 context->egid, context->sgid, context->fsgid, tty); 1211 context->egid, context->sgid, context->fsgid, tty,
1212 tsk->sessionid);
1055 1213
1056 mutex_unlock(&tty_mutex); 1214 mutex_unlock(&tty_mutex);
1057 1215
@@ -1135,7 +1293,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1135 1293
1136 case AUDIT_EXECVE: { 1294 case AUDIT_EXECVE: {
1137 struct audit_aux_data_execve *axi = (void *)aux; 1295 struct audit_aux_data_execve *axi = (void *)aux;
1138 audit_log_execve_info(ab, axi); 1296 audit_log_execve_info(context, &ab, axi);
1139 break; } 1297 break; }
1140 1298
1141 case AUDIT_SOCKETCALL: { 1299 case AUDIT_SOCKETCALL: {
@@ -1168,13 +1326,19 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1168 1326
1169 for (i = 0; i < axs->pid_count; i++) 1327 for (i = 0; i < axs->pid_count; i++)
1170 if (audit_log_pid_context(context, axs->target_pid[i], 1328 if (audit_log_pid_context(context, axs->target_pid[i],
1171 axs->target_sid[i])) 1329 axs->target_auid[i],
1330 axs->target_uid[i],
1331 axs->target_sessionid[i],
1332 axs->target_sid[i],
1333 axs->target_comm[i]))
1172 call_panic = 1; 1334 call_panic = 1;
1173 } 1335 }
1174 1336
1175 if (context->target_pid && 1337 if (context->target_pid &&
1176 audit_log_pid_context(context, context->target_pid, 1338 audit_log_pid_context(context, context->target_pid,
1177 context->target_sid)) 1339 context->target_auid, context->target_uid,
1340 context->target_sessionid,
1341 context->target_sid, context->target_comm))
1178 call_panic = 1; 1342 call_panic = 1;
1179 1343
1180 if (context->pwd && context->pwdmnt) { 1344 if (context->pwd && context->pwdmnt) {
@@ -1242,6 +1406,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1242 1406
1243 audit_log_end(ab); 1407 audit_log_end(ab);
1244 } 1408 }
1409
1410 /* Send end of event record to help user space know we are finished */
1411 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
1412 if (ab)
1413 audit_log_end(ab);
1245 if (call_panic) 1414 if (call_panic)
1246 audit_panic("error converting sid to string"); 1415 audit_panic("error converting sid to string");
1247} 1416}
@@ -1766,6 +1935,9 @@ void auditsc_get_stamp(struct audit_context *ctx,
1766 ctx->auditable = 1; 1935 ctx->auditable = 1;
1767} 1936}
1768 1937
1938/* global counter which is incremented every time something logs in */
1939static atomic_t session_id = ATOMIC_INIT(0);
1940
1769/** 1941/**
1770 * audit_set_loginuid - set a task's audit_context loginuid 1942 * audit_set_loginuid - set a task's audit_context loginuid
1771 * @task: task whose audit context is being modified 1943 * @task: task whose audit context is being modified
@@ -1777,41 +1949,29 @@ void auditsc_get_stamp(struct audit_context *ctx,
1777 */ 1949 */
1778int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1950int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1779{ 1951{
1952 unsigned int sessionid = atomic_inc_return(&session_id);
1780 struct audit_context *context = task->audit_context; 1953 struct audit_context *context = task->audit_context;
1781 1954
1782 if (context) { 1955 if (context && context->in_syscall) {
1783 /* Only log if audit is enabled */ 1956 struct audit_buffer *ab;
1784 if (context->in_syscall) { 1957
1785 struct audit_buffer *ab; 1958 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
1786 1959 if (ab) {
1787 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); 1960 audit_log_format(ab, "login pid=%d uid=%u "
1788 if (ab) { 1961 "old auid=%u new auid=%u"
1789 audit_log_format(ab, "login pid=%d uid=%u " 1962 " old ses=%u new ses=%u",
1790 "old auid=%u new auid=%u", 1963 task->pid, task->uid,
1791 task->pid, task->uid, 1964 task->loginuid, loginuid,
1792 context->loginuid, loginuid); 1965 task->sessionid, sessionid);
1793 audit_log_end(ab); 1966 audit_log_end(ab);
1794 }
1795 } 1967 }
1796 context->loginuid = loginuid;
1797 } 1968 }
1969 task->sessionid = sessionid;
1970 task->loginuid = loginuid;
1798 return 0; 1971 return 0;
1799} 1972}
1800 1973
1801/** 1974/**
1802 * audit_get_loginuid - get the loginuid for an audit_context
1803 * @ctx: the audit_context
1804 *
1805 * Returns the context's loginuid or -1 if @ctx is NULL.
1806 */
1807uid_t audit_get_loginuid(struct audit_context *ctx)
1808{
1809 return ctx ? ctx->loginuid : -1;
1810}
1811
1812EXPORT_SYMBOL(audit_get_loginuid);
1813
1814/**
1815 * __audit_mq_open - record audit data for a POSIX MQ open 1975 * __audit_mq_open - record audit data for a POSIX MQ open
1816 * @oflag: open flag 1976 * @oflag: open flag
1817 * @mode: mode bits 1977 * @mode: mode bits
@@ -2070,8 +2230,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
2070 return 0; 2230 return 0;
2071} 2231}
2072 2232
2073int audit_argv_kb = 32;
2074
2075int audit_bprm(struct linux_binprm *bprm) 2233int audit_bprm(struct linux_binprm *bprm)
2076{ 2234{
2077 struct audit_aux_data_execve *ax; 2235 struct audit_aux_data_execve *ax;
@@ -2080,14 +2238,6 @@ int audit_bprm(struct linux_binprm *bprm)
2080 if (likely(!audit_enabled || !context || context->dummy)) 2238 if (likely(!audit_enabled || !context || context->dummy))
2081 return 0; 2239 return 0;
2082 2240
2083 /*
2084 * Even though the stack code doesn't limit the arg+env size any more,
2085 * the audit code requires that _all_ arguments be logged in a single
2086 * netlink skb. Hence cap it :-(
2087 */
2088 if (bprm->argv_len > (audit_argv_kb << 10))
2089 return -E2BIG;
2090
2091 ax = kmalloc(sizeof(*ax), GFP_KERNEL); 2241 ax = kmalloc(sizeof(*ax), GFP_KERNEL);
2092 if (!ax) 2242 if (!ax)
2093 return -ENOMEM; 2243 return -ENOMEM;
@@ -2193,7 +2343,11 @@ void __audit_ptrace(struct task_struct *t)
2193 struct audit_context *context = current->audit_context; 2343 struct audit_context *context = current->audit_context;
2194 2344
2195 context->target_pid = t->pid; 2345 context->target_pid = t->pid;
2346 context->target_auid = audit_get_loginuid(t);
2347 context->target_uid = t->uid;
2348 context->target_sessionid = audit_get_sessionid(t);
2196 selinux_get_task_sid(t, &context->target_sid); 2349 selinux_get_task_sid(t, &context->target_sid);
2350 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2197} 2351}
2198 2352
2199/** 2353/**
@@ -2216,8 +2370,8 @@ int __audit_signal_info(int sig, struct task_struct *t)
2216 if (audit_pid && t->tgid == audit_pid) { 2370 if (audit_pid && t->tgid == audit_pid) {
2217 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) { 2371 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1) {
2218 audit_sig_pid = tsk->pid; 2372 audit_sig_pid = tsk->pid;
2219 if (ctx) 2373 if (tsk->loginuid != -1)
2220 audit_sig_uid = ctx->loginuid; 2374 audit_sig_uid = tsk->loginuid;
2221 else 2375 else
2222 audit_sig_uid = tsk->uid; 2376 audit_sig_uid = tsk->uid;
2223 selinux_get_task_sid(tsk, &audit_sig_sid); 2377 selinux_get_task_sid(tsk, &audit_sig_sid);
@@ -2230,7 +2384,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
2230 * in audit_context */ 2384 * in audit_context */
2231 if (!ctx->target_pid) { 2385 if (!ctx->target_pid) {
2232 ctx->target_pid = t->tgid; 2386 ctx->target_pid = t->tgid;
2387 ctx->target_auid = audit_get_loginuid(t);
2388 ctx->target_uid = t->uid;
2389 ctx->target_sessionid = audit_get_sessionid(t);
2233 selinux_get_task_sid(t, &ctx->target_sid); 2390 selinux_get_task_sid(t, &ctx->target_sid);
2391 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2234 return 0; 2392 return 0;
2235 } 2393 }
2236 2394
@@ -2247,7 +2405,11 @@ int __audit_signal_info(int sig, struct task_struct *t)
2247 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS); 2405 BUG_ON(axp->pid_count >= AUDIT_AUX_PIDS);
2248 2406
2249 axp->target_pid[axp->pid_count] = t->tgid; 2407 axp->target_pid[axp->pid_count] = t->tgid;
2408 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2409 axp->target_uid[axp->pid_count] = t->uid;
2410 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2250 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2411 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]);
2412 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2251 axp->pid_count++; 2413 axp->pid_count++;
2252 2414
2253 return 0; 2415 return 0;
@@ -2264,6 +2426,8 @@ void audit_core_dumps(long signr)
2264{ 2426{
2265 struct audit_buffer *ab; 2427 struct audit_buffer *ab;
2266 u32 sid; 2428 u32 sid;
2429 uid_t auid = audit_get_loginuid(current);
2430 unsigned int sessionid = audit_get_sessionid(current);
2267 2431
2268 if (!audit_enabled) 2432 if (!audit_enabled)
2269 return; 2433 return;
@@ -2272,9 +2436,8 @@ void audit_core_dumps(long signr)
2272 return; 2436 return;
2273 2437
2274 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2438 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2275 audit_log_format(ab, "auid=%u uid=%u gid=%u", 2439 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2276 audit_get_loginuid(current->audit_context), 2440 auid, current->uid, current->gid, sessionid);
2277 current->uid, current->gid);
2278 selinux_get_task_sid(current, &sid); 2441 selinux_get_task_sid(current, &sid);
2279 if (sid) { 2442 if (sid) {
2280 char *ctx = NULL; 2443 char *ctx = NULL;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 357b68ba23ec..7cb1ac3e6fff 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -81,7 +81,6 @@ extern int percpu_pagelist_fraction;
81extern int compat_log; 81extern int compat_log;
82extern int maps_protect; 82extern int maps_protect;
83extern int sysctl_stat_interval; 83extern int sysctl_stat_interval;
84extern int audit_argv_kb;
85extern int latencytop_enabled; 84extern int latencytop_enabled;
86 85
87/* Constants used for minimum and maximum */ 86/* Constants used for minimum and maximum */
@@ -390,16 +389,6 @@ static struct ctl_table kern_table[] = {
390 .mode = 0644, 389 .mode = 0644,
391 .proc_handler = &proc_dointvec, 390 .proc_handler = &proc_dointvec,
392 }, 391 },
393#ifdef CONFIG_AUDITSYSCALL
394 {
395 .ctl_name = CTL_UNNUMBERED,
396 .procname = "audit_argv_kb",
397 .data = &audit_argv_kb,
398 .maxlen = sizeof(int),
399 .mode = 0644,
400 .proc_handler = &proc_dointvec,
401 },
402#endif
403 { 392 {
404 .ctl_name = KERN_CORE_PATTERN, 393 .ctl_name = KERN_CORE_PATTERN,
405 .procname = "core_pattern", 394 .procname = "core_pattern",